So, the requirements for me are:
during the certification of the product (which includes code inspection on some undeclared possibilities, testing, verifying that this code is appropriate to use in specific companies) I don't want to make the certification for the whole ovirt (as the code inspection should be taken every time the ovirt version changes and it takes really long). So, I want to build a more lightweight service that just checks accesses and which I can give for certification less frequently than the ovirt (which will need this procedure on every released update). I don't want to touch or modify any ovirt functionality, so filtering on the network level seems to be the best solution for this.
This certification procedure is essential, as every product that supply security aspects (here access control) should be thoroughly checked. And we mostly try to develop these overlay services.
понедельник, 29 октября 2018 г. пользователь Piotr Kliczewski написал:
I just need to make an overlay on this system as in our organization it will be more problematic to certify the whole ovirt than our tool for calls filtering. Just the organizational reason. Also we want to use an attribute based model.
I still fail to understand why do you need network level filtering. Structure of your organization should be model using permissions. Which calls/functionality is problematic?
Ok, I understood. Thank you for the information. And could you please somehow comment the approach with error sending which I described in a previous email?
I am not sure what would be correct error to return here since every error has a meaning for engine. For some we fail the action but for others we attempt to retry fix, fix the issue by
soft fencing the host.
Can you share with me what are you missing from current authorization model so you need to filter the calls?
четверг, 25 октября 2018 г. пользователь Piotr Kliczewski написал:
So, this is an incorrect info, right?
This doc seems not to up to date for quite some time. Now we use jsonrpc over stomp.
In virt-manager for the same purpose there was an option to send error messages with help of mitmproxy. I modified a little bit this proxy to be able to use it with any tcp connection.
And this error message was correctly processed. But the amount of source code for analysis in that case was rather small and I found rather quickly how error messages should be sent and encoded in rpc.
Is there any possibility like this here?
My proxy is based on mitmproxy, so I want to analyze messages coming from client to ovirt-engine or from engine to node and based on the content permit the actions or not. I know that there is access control inside oVirt, but I need to implement the similar thing by myself using proxy. From ovirt-engine to vdsm it is trickier as there I have no users and session ids to identify the actor, I can determine only actions.
By using engine or vdsm certs you could decrypt the traffic. How would you prevent command from being executed. If you drop packet(s) the engine would attempt to retry or consider vdsm to be down/dead. In either case engine would be confused.
I would not recommend such approach because it may prevent you from using oVirt or break it.
But anyway, I can decipher normal rpc ( for virt-manager), got familiar with gwt -rpc ( client-engine) and now trying to understand what is happening with xml rpc.
As Nir mentioned we estabilish tcp connection and send jsonrpc over stomp.
I need this for my proxy,
What is your proxy?
I need to do this analysis "online", not just by analyzing the logs after the action happened.
Hello!
I was successful in deciphering the traffic between the client and ovirt-engine,
Why do you need to do this? it is easier to add logging to vdsm of you want to see more info about the messages.
Anyway Piotr may help.
Nir